NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only has IPv4 address on the Internet. Central NAT is disabled.

  1. The host on the internal network does a DNS lookup for ControlPC.qa.fortinet.com by sending a DNS query for an AAAA record for ControlPC.qa.fortinet.com.

  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for ControlPC.qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address 172.16.200.55.

  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.16.200.55.

  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.16.200.55.

  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.

  6. The FortiGate translates the destination address of the packets from IPv6 address 64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To configure a NAT64 policy with DNS64 in the GUI:
  1. Enable IPv6 and DNS database:

    1. Go to System > Feature Visibility.

    2. In the Core Features section, enable IPv6.

    3. In the Additional Features section, enable DNS Database.

    4. Click Apply.

  2. Enable DNS proxy on the IPv6 interface:

    1. Go to Network > DNS Servers.

    2. In the DNS Service on Interface table, click Create New.

    3. For Interface, select port10.

    4. For Mode, select Forward to System DNS.

    5. Click OK.

  3. Configure the IPv6 DHCP server:

    1. Go to Network > Interfaces and edit port10.

    2. Enable DHCPv6 Server and enter the following:

      IPv6 subnet

      2001:db8:1::/64

      DNS service

      Specify

      DNS server 1

      2001:db8:1::10

    3. Click OK.

  4. Configure the IPv6 VIP for the destination IPv6 addresses:

    These are all of the IPv6 addresses that the FortiGate DNS proxy synthesizes when an IPv6 device performs a DNS query that resolves to an IPv4 Address. In this example, the synthesized IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits, so the VIP is for all the IPv6 addresses that begin with 64:ff9b.

    1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.

    2. Enter the following:

      VIP type

      IPv6

      Name

      vip6

      Eternal IP address/range

      64:ff9b::-64:ff9b::ffff:ffff

      Map to IPv4 address/range

      Use Embedded

    3. Click OK.

  5. Configure the IPv6 firewall address for the internal network:

    1. Click Create New > Address.

    2. Enter the following:

      Category

      IPv6 Address

      Name

      internal-net6

      Type

      IPv6 Subnet

      IP/Netmask

      2001:db8:1::/48

    3. Click OK.

  6. Configure the IP pool containing the IPv4 address that is used as the source address of the packets exiting port9:

    1. Go to Policy & Objects > IP Pools and click Create New.

    2. Enter the following:

      IP Pool Type

      IPv4 Pool

      Name

      exit-pool4

      Type

      Overload

      External IP address/range

      172.16.200.200-172.16.200.207

      NAT64

      Enable

      Note

      External IP address/range must start and end on the boundaries of a valid subnet. For example, 172.16.200.0-172.16.200.7 and 172.16.200.16-172.16.200.31 are a valid subnets (/29 and /28 respectively).

    3. Click OK.

  7. Configure the NAT64 policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Enter the following:

      Name

      policy64-1

      Incoming Interface

      port10

      Outgoing Interface

      port9

      Source

      internal-net6

      Destination

      vip6

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT